eCommerce Tips & Trends

Your eCommerce business needs a Website Privacy Policy

Privacy policies aren't sexy but they're certainly important for long-term eCommerce success. Here's everything you need to know.
Your eCommerce business needs a Website Privacy Policy

By Jules


August 4, 2016

Your eCommerce business needs a Website Privacy Policy if you do these 3 things

Is your Website Privacy Policy a Frankensteinian monster? Did you sit up late at night, copying clauses from different sources, and eventually hiding the abomination in a dark corner of your website’s footer where no one (hopefully) will ever look?

1. Frankenstein Monster

Here’s the thing: Every website that collects user information needs a Website Privacy Policy. You may be collecting personal data such as emails, names, addresses, or credit card information, and your privacy policy must be tailored according to the data that you collect! An inaccurate Website Privacy Policy may expose you to the risk of having your website taken down, or in the worst case, potential legal action. The regulation of personal data use is overseen by the Personal Data Protection Council (PDPC) in Singapore and the Privacy Commissioner for Personal Data (PCPD) in Hong Kong.

So before someone comes for you with pitchforks and torches, let’s make sure you have a good Website Privacy Policy! If your business does any of the following, you should definitely have a unique Website Privacy Policy:

1) Your website uses cookies.
A cookie is a small file of letters and numbers stored on the browser or hard drive of the user’s computer. Cookies are what track a visitor’s login information or save orders in a shopping cart so your visitors have a more personalised browsing experience when they return.

Today, almost all websites use cookies! As such, you need to have a section in your Website Privacy Policy that specifies what data your cookies collect.

There are, broadly speaking, four different categories of cookies. While you may use all four, the Website Privacy Policy you copied (or the template you used) might cover only one or two. This is why it is important for your Website Privacy Policy to be tailored for what you really need!

The four broad categories are:

Strictly necessary cookies are cookies that are required for the operation of your website. They include, for example, cookies that enable the user to log into secure areas of your website, use a shopping cart, or make use of e-billing services.

Analytical/performance cookies allow you to recognise and count the number of visitors and to see how visitors move around your website when they are using it. This helps you to improve the way your website works, for example by ensuring that users are finding what they are looking for easily.

Functionality cookies are used to recognise the user when the user returns to your website. This enables you to personalise your content for the user, greet the user by name, and remember the user’s preferences (for example the user’s choice of language or region).

Targeting cookies are cookies that record the user’s visit to your website, the pages the user has visited, and the links the user has followed.

Create your unique Website Privacy Policy for free

Sign up for a Dragon Law free trial. No minimum commitment, no credit card required.

2) You want to use personal data for direct marketing, statistical analysis, or any other secondary purpose(s).

In the course of marketing, it is not uncommon that you profile your buyers for sending email marketing messages. You need to outline all the ways you use your data in your Website Privacy Policy.

➤ Example member registration form from Do you collect personal data for marketing purposes?

2. Member Registration form - EC Rent

3) You store data in the cloud – maybe in Google Drive, Shopify, or another third-party app.

When you upload data online, it’s easy to forget that it is physically stored somewhere. But it is, and for the law, the where and how matters. Somewhere in your Privacy Policy, you should state where and how the data is stored, and used.

3. PCI Compliant - Shopify

Storing credit card information requires extra care. In fact, you probably need a specialised third-party app to do it legally, one which is PCI (Payment Card Industry) compliant. Common e-commerce apps, such as Shopify, are PCI compliant.

It is also important you consider guidelines provided in your country for dealing with outages or breaches. Singapore, for example, introduced new cloud outage incident response (COIR) guidelines that require businesses to employ reasonable security arrangements to protect personal data in their possession or under their control from unauthorised access, collection, use, disclosure, copying, modification or disposal (read more). Failure to comply can result in fines of up to SGD $1 million.

Last but not least, somewhere in your Website Privacy Policy, you need to name your company’s Data Protection Officer (DPO). This is who your customers can contact to learn what data you have on them, and to ask you to correct or remove it. Both Hong Kong and Singapore require that organisations appoint a DPO under the PDPO and PDPA respectively.

Believe it or not, we’ve seen privacy policies where the business owner copied a privacy policy without changing the contact email address! Failing to reply and comply with a customer who asks you to correct or remove his data can lead to warnings or fines.

There are many reasons to be suspicious of the Website Privacy Policy hiding in the dark corner of your Website footer. Does it let you do everything you want to do? Does it accurately reflect how your business uses data? Your website needs a Website Privacy Policy that reflects how your company uses the data, not how companies in general uses it.

Dragon Law’s free trial lets you draft a Website Privacy Policy that is perfectly tailored to your business. Sign up for free here and find out how creating legal documents can be as easy as answering a few simple questions.

4. CTA - Free Website Privacy Policy

This guest article is brought to you by Shermin Oh from Dragon Law and edited by Easyship.

About Dragon Law

5. Dragon Law logo

Dragon Law is the trusted platform to manage law online.
Founded in Hong Kong in 2013, our mission is to transform the way businesses meet their legal needs. Our simple question-and-answer interface gathers key insights about your business, and generates highly-customised contracts that address your specific needs. We give business owners the know-how and confidence to create even the most complex legal documents from start to finish.
Experience the new face of business law.